Quantum cryptography protocol

ABSTRACT

An apparatus and method for implementing a quantum cryptography system encoding bit values on approximations of elementary quantum systems with provable and absolute security against photon number splitting attacks. The emitter encodes the bit values onto pairs of non-orthogonal states belonging to at least two sets, and such that there does not exist a single quantum operation allowing to reduce the overlap of the states in all the sets simultaneously.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates generally to the field of quantum cryptography,and more particularly to a method for exchanging a key with guaranteedsecurity using systems vulnerable to photon number splitting (PNS)attacks, i.e. a quantum cryptography protocol robust against PNSattacks.

2. Discussion of Prior Art

If two users possess shared random secret information (below the “key”),they can achieve, with provable security, two of the goals ofcryptography: 1) making their messages unintelligible to an eavesdropperand 2) distinguishing legitimate messages from forged or altered ones. Aone-time pad cryptographic algorithm achieves the first goal, whileWegman-Carter authentication achieves the second one. Unfortunately bothof these cryptographic schemes consume key material and render it unfitfor use. It is thus necessary for the two parties wishing to protect themessages they exchange with either or both of these cryptographictechniques to devise a way to exchange fresh key material. The firstpossibility is for one party to generate the key and to inscribe it on aphysical medium (disc, cd-rom, rom) before passing it to the secondparty. The problem with this approach is that the security of the keydepends on the fact that it has been protected during its entirelifetime, from its generation to its use, until it is finally discarded.In addition, it is very unpractical and tedious.

Because of these difficulties, in many applications one resorts insteadto purely mathematical methods allowing two parties to agree on a sharedsecret over an insecure communication channel. Unfortunately, all suchmathematical methods for key agreement rest upon unproven assumptions,such as the difficulty of factoring large integers. Their security isthus only conditional and questionable. Future mathematical developmentsmay prove them totally insecure.

Quantum cryptography (QC) is the only method allowing the distributionof a secret key between two distant parties, the emitter and thereceiver, [1] with a provable absolute security. Both parties encode thekey on elementary quantum systems, such as photons, which they exchangeover a quantum channel, such as an optical fiber. The security of thismethod comes from the well-known fact that the measurement of an unknownquantum state modifies the state itself: a spy eavesdropping on thequantum channel cannot get information on the key without introducingerrors in the key exchanged between the emitter and the receiver. Inequivalent terms, QC is secure because of the no-cloning theorem ofquantum mechanics: a spy cannot duplicate the transmitted quantum systemand forward a perfect copy to the receiver.

Several QC protocols exist. These protocols describe how the bit valuesare encoded on quantum states and how the emitter and the receivercooperate to produce a secret key. The most commonly used of theseprotocols, which was also the first one to be invented, is known as theBennett-Brassard 84 protocol (BB84) [2]. The emitter encodes each bit ona two-level quantum system either as an eigenstate of σ_(x) (I|+x>coding for “0” and |−x> coding for “1”) or as an eigenstate of σ_(y)(|+y> or |−y>, with the same convention). The quantum system is sent tothe receiver, who measures either σ_(x) or σ_(y). After the exchange ofa large number of quantum systems, the emitter and the receiver performa procedure called basis reconciliation. The emitter announces to thereceiver, over a conventional and public communication channel the basisx or y (eigenstate of σ_(x) or σ_(y)) in which each quantum system wasprepared. When the receiver has used the same basis as the emitter forhis measurement, he knows that the bit value he has measured must be theone which was sent over by the emitter. He indicates publicly for whichquantum systems this condition is fulfilled. Measurements for which thewrong basis was used are simply discarded. In the absence of a spy, thesequence of bits shared is error free. Although a spy who wants to getsome information about the sequence of bits that is being exchanged canchoose between several attacks, the laws of quantum physics guaranteethat he will not be able to do so without introducing a noticeableperturbation in the key.

Other protocols—like the Bennett 92 (B92) [3]—have been proposed.

In practice, the apparatuses are imperfect and also introduce someerrors in the bit sequence. In order to still allow the production of asecret key, the basis reconciliation part of the protocol iscomplemented by other steps. This whole procedure is called keydistillation. The emitter and the receiver check the perturbation level,also know as quantum bit error rate (QBER), on a sample of the bitsequence in order to assess the secrecy of the transmission. Inprinciple, errors should be encountered only in the presence of aneavesdropper. In practice however, because of the imperfections of theapparatus, a non-zero error probability can also always be observed.Provided this probability is not too large, it does not prevent thedistillation of a secure key. These errors can indeed be corrected,before the two parties apply a so called privacy amplification algorithmthat will reduce the information quantity of the spy to an arbitrarilysmall level.

In the last years, several demonstrations of QC systems have beenimplemented using photons as the information carriers and optical fibersas quantum channels. While the original proposal called for the use ofsingle photons as elementary quantum systems to encode the key, theirgeneration is difficult and good single-photon sources do not exist yet.Instead, most implementations have relied on the exchange between theemitter and the receiver of weak coherent states, such as weak laserpulses, as approximations to ideal elementary quantum systems. Eachpulse is a priori in a coherent state |μe^(iθ)> of weak intensity(typically the average photon number per pulse μ≈0.1 photons). Howeversince the phase reference of the emitter is not available to thereceiver or the spy, they see a mixed state, which can be re-written asa mixture of Fock states, Σ_(ll)ρ_(ll)|n><n| where the number n ofphotons is distributed according to Poissonian statistics with mean μand ρ_(ll)=e^(−μ)μ^(ll)/n!. QC with weak pulses can be re-interpreted asfollows: a fraction ρ₁ of the pulses sent by the emitter contain exactlyone photon, a fraction ρ₂ two photons, and so on, while a fraction ρ₀ ofthe pulses are simply empty and do not contribute to the keytransmission. Consequently, in QC apparatuses employing weak pulses, arather important fraction of the non-empty pulses actually contain morethan one photon. The spy is then not limited any longer by theno-cloning theorem. He can simply keep some of the photons while lettingthe others go to the receiver. Such an attack is called photon-numbersplitting (PNS) attack. If we assume that the only constraints limitingthe technological power of the spy are the laws of physics, thefollowing attack is in principle possible: (1) for each pulse, the spycounts the number of photons, using a photon number quantumnon-demolition measurement; (2) he blocks the single photon pulses,while keeping one photon of the multi-photon pulses in a quantum memoryand forwarding the remaining photons to the receiver using a perfectlytransparent quantum channel; (3) he waits until the emitter and thereceiver publicly reveal the bases used, and correspondingly measuresthe photons stored in his quantum memory: he must discriminate betweentwo orthogonal states, and this can be done deterministically. In thisway, he obtains full information on the key, which implies that noprocedure allows to distillate a secret key for the legitimate users. Inaddition, the spy does not introduce any discrepancies in the bitsequences of the emitter and the receiver. The only constraint on PNSattacks is that the presence of the spy should remain undetected. Inparticular, he must ensure that the rate of photons received by thereceiver is not modified.

In the absence of the spy, the raw rate of photons that reach thereceiver is given by:R _(Receiver)(δ)=μ·10^(−δ/10) [photons/pulse]  (1)where δ=α L is the total attenuation in dB of the quantum channel oflength L. Thus, the PNS attack can be performed on all passing pulsesonly when δ≧δ_(c) with R_(Receiver)(δ_(c))≅ρ₂: the losses that thereceiver expects because of the fiber attenuation are equal to thoseintroduced by the action of the spy storing and blocking photons. Forshorter distances, the spy sends a fraction q of the pulses on herperfectly transparent channel without doing anything and performs thePNS attack on the remaining 1−q fraction of the pulses. The receivermeasures a raw detection rateR _(Receiver|Spy)(q)=qμ+(1−q)B[photons/pulse]  (2)where B=Σ_(ll≧2)ρ_(ll)(n−1). The parameter q is chosen so thatR_(Receiver|spy)(q)=R_(Receiver)(δ). The information the spy gets on abit sent by the emitter is 0 when he does nothing, and 1 when he performthe PNS attack, provided of course that the receiver has received atleast one photon: $\begin{matrix}{{I_{Spy}(q)} = {\frac{\left( {1 - q} \right)S}{q + {\left( {1 - q} \right)S}}\quad\left\lbrack {{bits}\text{/}{pulse}} \right\rbrack}} & (3)\end{matrix}$with S=Σ_(ll≧2)ρ_(n). The critical length of the quantum channel isdetermined by the condition R_(Receiver)(δ_(c))=R_(Receiver|Spy) (q=0).For an average photon number μ=0.1, one finds δ_(c)=13 [dB], whichcorresponds to a distance of the order of 50 km (α=0.25 [dB/km])

Although the PNS attacks are far beyond today's technology, theirconsequences on the security of a QC system relying on weak coherentstates is devastating, when they are included in the security analysis[4]. The extreme vulnerability of the BB84 protocol to PNS attacks isdue to the fact that whenever the spy can keep one photon, he gets allthe information, since he has to discriminate between two eigenstates ofa known Hermitian operator, which is allowed by the laws of quantumphysics.

SUMMARY OF THE INVENTION

The primary object of the invention is to allow to exchange a keyfeaturing absolute security with a quantum cryptography apparatus usingapproximations, such as weak coherent states, to ideal elementaryquantum systems.

It covers a new class of protocols for QC in which the emitter encodeseach bit onto a pair of non-orthogonal states belonging to at least twosuitable sets, which allow to neutralize PNS attacks, and lead thus to asecure implementations of QC with weak coherent states over longerdistances than present protocols.

The apparatus of the emitter (see FIG. 1) consists of a source ofquantum states and a preparation device. Both of these elements arecontrolled by a processing unit. A random number generator is connectedto this processing unit, in order to allow random preparation of thequantum states. After preparation, these states are sent along a quantumchannel to the receiver. The receiver consists of an analysis devicefollowed by a detection unit, both controlled by a processing unit. Arandom number generator allows the processing unit to randomly choosethe analysis basis. The emitter and the receiver are connected by aconventional communication channel.

The emitter encodes each bit in the state of an elementary quantumsystem, belonging to either of the two sets A={|0_(a)>,|1_(a)≦} orB={|0_(b)>,|1_(b)>}, chosen such that |<0_(a)|1_(a)>|=η_(a)≠0,|<0_(b)|1_(b)>|=η_(b)≠0, and that there does not exist a single quantumoperation, whether probabilistic or not, reducing simultaneously theoverlaps of the states within all the sets (see FIG. 2, left).

In order to obtain correlated results with those of the emitter, thereceiver has to distinguish between two non orthogonal states. He can doso by implementing in his analysis device a generalized measurement thatunambiguously discriminates between these two states at the expense ofsometime getting an inconclusive result. Such a measurement can berealized by a selective filtering, whose effect is not the same on allstates, followed by a von Neumann measurement on the states that passthe filter. In the example of FIG. 2, this filter, discriminatingbetween the elements of A, is given by${F_{A} = {\frac{1}{\sqrt{1 + \eta}}\left( {{\left. {+ x} \right\rangle\left\langle 1_{a}^{\bot} \right.} + {\left. {- x} \right\rangle\left\langle 0_{a}^{\bot} \right.}} \right)}},$where |ψ^(⊥)> is the state orthogonal to |ψ>. A fraction 1−η of thestates of set A passes this filter. For the states that do, the vonNeumann measurement of σ_(x) allows their discrimination. The emitterrandomly applies on each quantum system one of the two filters F_(A) orF_(B), and measures σ_(x) on the outcome. Subsequently, the emitterdiscloses for each bit to which set A or B the associated quantum systembelonged. The receiver then discards all the items in which he haschosen the wrong filter and informs the emitter.

One particular example of a protocol that belongs to this new classamounts to a simple modification of the key distillation procedureapplied to bits produced by an apparatus normally used with the BB84protocol.

The emitter sends randomly one of the four states |±x> or |±y>. Heapplies the convention that |±x> code for 0 and |±y> code for 1. For agiven state, the receiver measures randomly ν_(x) or ν_(y), whichconstitutes the most effective unambiguous way to discriminate betweenthese states. After the exchange of a sufficiently large number ofstates, the emitter announces publicly one of the four pairs ofnon-orthogonal states A _(ω,ω′)={|ω_(x)>,|ω′_(y)>}, with ω, ω′ε{+, −}.Within each set, the overlap of the two states is$\eta = {\frac{1}{\sqrt{2}}.}$Let us assume for example that a |+x> was sent by the emitter, and thathe subsequently announced the set A _(+,+). If the receiver has measuredσ_(x), which happens with 50% probability, he obtains with certainty theresult +1. However, since this outcome is possible for both states inthe disclosed set A ₊₊, it must be discarded. If the receiver hasmeasured σ_(y) and obtained +1, again he cannot decide which state wassent by the emitter. However if he has measured σ_(y) and obtained −1,then he knows that the emitter must have sent |+x> and adds a 0 to hiskey.

The other steps of key distillation (QBER estimate, error correction andprivacy amplification) remain unchanged.

Other objects and advantages of the present invention will becomeapparent from the following descriptions, taken in connection with theaccompanying drawings, wherein, by way of illustration and example, anembodiment of the present invention is disclosed.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will now be described, by way of exampleonly, with reference to the accompanying drawings in which:

FIG. 1 schematically illustrates one embodiment of the invention, and

FIG. 2 shows an example of two sets of non-orthogonal states used in thenew class of QC protocols, the four states lying in a plane of thePoincaré sphere passing through its center. Effect of the filter F_(A).

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Detailed descriptions of the preferred embodiment are provided herein.It is to be understood, however, that the present invention may beembodied in various forms. Therefore, specific details disclosed hereinare not to be interpreted as limiting, but rather as a basis for theclaims and as a representative basis for teaching one skilled in the artto employ the present invention in virtually any appropriately detailedsystem, structure or manner.

Referring to FIG. 1, one embodiment of the invention comprises anemitter 10 and a receiver 40 connected by a quantum channel 20 and aconventional channel 30. The emitter consists of a quantum state source11 and a preparation device 12 controlled by a processing unit 13. Arandom number generator 14 is connected to the processing unit 13. Thereceiver 40 consists of an analysis device 41 and a detection unit 42controlled by a processing unit 43. A random number generator 44 isconnected to the processing unit 43.

The emitter generates a quantum state using his source 11 and encodes,using the preparation device 12, the value of each bit on this quantumstate belonging to either of the two sets A={|0_(a)>,|1_(a)>} orB={|0_(b)>}, chosen such that |<0_(a)|1_(a)>|=η_(a)≠0,|<0_(b)|1_(b)>|=η_(b)≠0, and that there does not exist a single quantumoperation, whether probabilistic or not, reducing simultaneously theoverlaps of the states within all the sets (see FIG. 2, left). Thestates are then sent to the receiver on the quantum channel 20.

The receiver uses his analysis device 41 to perform a generalizedmeasurement that unambiguously discriminates between these two states atthe expense of sometime getting an inconclusive result. Such ameasurement is realized by a selective filtering, whose effect is notthe same on all states, followed by a von Neumann measurement on thestates that pass the filter. An example of such a filter, discriminatingbetween the elements of A is given by${F_{A} = {\frac{1}{\sqrt{1 + \eta}}\left( {{\left. {+ x} \right\rangle\left\langle 1_{a}^{\bot} \right.} + {\left. {- x} \right\rangle\left\langle 0_{a}^{\bot} \right.}} \right)}},$where |ψ^(⊥)> is the state orthogonal to |ψ>. A fraction 1−η of thestates of set A passes this filter. For the states that do, the vonNeumann measurement of σ_(x) allows their discrimination. The detectionunit 42 records the outcome of the generalized measurement. Theprocessing unit of the emitter 43 randomly applies on each qubit one ofthe two filters F_(A) or F_(B), and measures σ_(x) on the outcome.Subsequently, the emitter discloses for each bit the set A or B. Thereceiver then discards all the items in which he has chosen the wrongfilter and informs the emitter through messages on the conventionalchannel 30.

The emitter and the receiver follow then the procedure of keydistillation comprising the steps of QBER estimate, error correction andprivacy amplification.

This new class of protocols is straightforwardly generalized to the useof quantum systems comprising more than two levels.

It can also be generalized to the cases where more than two sets ofstates are used.

While the invention has been described in connection with a preferredembodiment, it is not intended to limit the scope of the invention tothe particular form set forth, but on the contrary, it is intended tocover such alternatives, modifications, and equivalents as may beincluded within the spirit and scope of the invention as defined by theappended claims.

REFERENCES

-   [1] Nicolas Gisin, Grégoire Ribordy, Wolfgang Tittel, and Hugo    Zbinden, “Quantum Cryptography”, Rev. of Mod. Phys. 74, (2002).-   [2] Charles Bennett and Gilles Brassard, in Proceedings IEEE Int.    Conf. on Computers, Systems and Signal Processing, Bangalore, India    (IEEE, New York, 1984), pp. 175-179.-   [3] Charles Bennett, Phys. Rev. Lett. 68, 3121 (1992).-   [4] Gilles Brassard, Norbert Lüitkenhaus, Tal Mor, and Barry C.    Sanders, Phys. Rev. Lett. 85, 1330 (2000).

1. A method for exchanging a secure cryptographic key for a quantumcryptography apparatus employing non-ideal elementary quantum systems,wherein the apparatus comprises an emitter and a receiver, beingconnected by a quantum channel and a conventional communication channel,the emitter encodes each bit at random onto a pair of non-orthogonalstates belonging to at least two suitable sets, there is no a singlequantum operation reducing the overlap of the quantum states of all setssimultaneously, the emitter sends the encoded bit along the quantumchannel to the receiver, the receiver randomly chooses the analysismeasurement within said suitable sets, the emitter sends the setinformation along the conventional communication channel, the receiverdiscards all received encoded bits for which he has chosen a differentanalysis measurement incompatible with the set they belonged to andsends an appropriate information to the emitter along the conventionalcommunication channel.
 2. The method according to claim 1, wherein inthe step of the emitter sending an encoded bit along the quantum channelto the receiver weak coherent states are exchanged between the emitterand the receiver.
 3. The method according to claim 2, wherein the weakcoherent states are laser pulses with an average photon number per pulseof less than 0.5 photons, preferably less than 0.1 photons.
 4. Themethod according to claim 1, wherein the emitter is using two setsA={|0_(a)>,|1_(a)>} and B={|0_(b)>,|1_(b)>}, chosen such that|<0_(a)|1_(a)>|=η_(a)≠0, |<0_(b)|1_(b)>|=η_(b)≠0, and wherein there isno single quantum operation reducing the overlap of the quantum statesof all sets simultaneously, and the receiver randomly chooses theanalysis measurement between${F_{A} = {\frac{1}{\sqrt{1 + \eta}}\left( {{\left. {+ x} \right\rangle\left\langle 1_{a}^{\bot} \right.} + {\left. {- x} \right\rangle\left\langle 0_{a}^{\bot} \right.}} \right)\quad{and}}}\quad$${F_{B} = {\frac{1}{\sqrt{1 + \eta}}\left( {{\left. {+ x} \right\rangle\left\langle 1_{b}^{\bot} \right.} + {\left. {- x} \right\rangle\left\langle 0_{b}^{\bot} \right.}} \right)}}\quad$followed by a Von Neumann measurement distinguishing between|+x>and|−x>.
 5. The method according to claim 1, wherein after a numberof encoded bits has been transmitted, a protocol step is performed,within which emitter and receiver agree on a body of cryptographic keyinformation which is shared between emitter and receiver, but secretfrom all other units who may be monitoring the quantum channel and thepublic channel, or else conclude that the encoded bits can not be safelyused as cryptographic key information.
 6. A method for exchanging asecure cryptographic key for a quantum cryptography system employingnon-ideal elementary quantum states, where the key values are encoded onat least two sets of non-orthogonal quantum states characterized by thefact that it is not possible to find a single quantum operation, whetherprobabilistic or not, that reduces the overlap of the states of all setssimultaneously.
 7. A quantum cryptography system employing non-idealelementary quantum states to exchange secure cryptographic keyinformation and comprising a source of non-ideal elementary quantumstates, an emitter and a receiver, being connected by a quantum channeland a conventional communication channel, the emitter comprising orconnected to a random number generator allowing to prepare randomnon-orthogonal quantum states belonging to at least two suitable sets,wherein there is no single quantum operation reducing the overlap of thequantum states of all sets simultaneously, the receiver comprising orconnected to a random number generator allowing to choose an analysismeasurement for said quantum states, the emitter being able to send theencoded bit along the quantum channel to the receiver and being able tosend the set information along the conventional communication channel,the receiver being able to discard all received encoded bits for whichhe has chosen a different analysis measurement and to send anappropriate information to the emitter along the conventionalcommunication channel.
 8. The quantum cryptography system according toclaim 7, wherein said source is a laser source and the emitter comprisesa preparation device sending laser pulses with an average photon numberper pulse of less than 0.5 photons, preferably less than 0.1 photons. 9.The quantum cryptography system according to claim 7, wherein emitterand receiver both comprise processing units being able to perform, aftera number of encoded bits had been transmitted, a protocol step, withinwhich emitter and receiver agree on a body of cryptographic keyinformation which is shared between emitter and receiver, but secretfrom all other units who may be monitoring the quantum channel and thepublic channel, or else conclude that the encoded bits can not be safelyused as cryptographic key information.
 10. The method according to claim1, wherein for each bit, the emitter is randomly using one of the fourstates |±x> or |±y> with the convention that |±x> code for 0 and |±y>code for 1, and sends it along the quantum channel to the receiver, thereceiver randomly measures σ_(x) or σ_(y), the emitter announces one ofthe four pairs of non-orthogonal states

_(ω,ω′)={|ω_(x)>,|ω′_(y)> with w,w′ε{+,− and such that one of the statesis the one which he has sent by sending an appropriate message along theconventional communication channel, the receiver discards all receivedencoded bits for which the measurement result he has obtained ispossible for both states disclosed by the emitter and sends anappropriate information to the emitter along the conventionalcommunication channel, the receiver deduces the state actually sent bythe emitter and adds the corresponding bit to the key.